Authenticate Users and perform actions with InfusionSoft via a link

Using the InfusionSoft API to perform actions on contacts is a powerful and effective way to manage your prospect and customer database using Infusionsoft. Some caution is required however, to prevent actions from being executed by those curious people who like to alter the links you send via email.

Here is what I am talking about. Let’s say you send an email to your prospects via your Infusionsoft account and you pass the contactId of the prospect in a link to a script on your site, like this: http://www.YOURDOMAIN.com/script.php?id=12345

If you execute an API call to add a tag, run an actionset or start a follow up sequence, just by clicking the link with the id string, you open the door for the curious and bored to mess with your prospect list. It is too easy to change the id value to another number and refresh the browser resulting in actions to another prospects record.

Ok, this may not be a big concern for you and you may be saying ‘no big deal’. Let me show a few examples of why it is a big deal.

Let’s say you link executes an API call to start a new follow up sequence. If one person refreshes their browser 100 times with different id values, you now potentially have 100 people getting emails they know nothing about and some might say you are spamming them.

Another more troublesome possibility is, if the link executes an action set that performs many actions, like charging their credit card of file for a new product.

I say, do not give your list members the ability to mess with your data at all.

Below is a script I use in many places. It authenticates a contact to prevent abuse. It uses the SDK system to connect to the infusionsoft API and can be found in FuseBox inside Infusionsoft -search for SDK.

Please leave comments and let me know what you think.

Thanks.

Todd Thompson

Copy/paste this code to a notepad documents and save as authenticate_user.php – or whatever name you wish to give it.
Get the PHP code here!

 
 

 

3 comments

  1. Thank you Todd for the excellent write up and php script. I’m curious what API links you’re using in emails to initiate tags, follow-up sequences and orders that you wouldn’t just use Infusionsoft’s trackable links for. By nature, they are a bit more secure than the API with out taking additional measures.

    Are you running actions through the API that aren’t available inside the trackable link action sets? If so, I’d love to hear about it!

    Best,

    Jarrod Morris
    Marketing Mavens

  2. Jarrod,

    Far more flexibility is allowed when you control the actions
    that take place on the landing page instead of creating a tracking link.

    That is the primary reason I prefer to accomplish tag, actionset, orders,
    and follow up sequences via the method described in this post. Once
    my prospect hits the page with their email and id in the string, I
    can do virtually anything on that page, and in that session throughout
    our site, via the API OR via auto-submitting forms prefilled with
    their contact data.

    Thanks for the comment.

    Todd Thompson

Comments are closed.